0

I have another question about a pair of servers that I cannot turn off TLS 1.0/1.1. Even though IISCrypto showing them off and made right reg entries.

The servers run an IIS10/PHP7.4/MySQL8 stack. (I am not the person who set up the server builds - just trying to update it)

Anyway normally for mysql on apache I would add the following to make sure it wasn't using older TLS versions:

MinProtocol = TLSv1.2

Well when I go into the MYSQL path I see an SSL folder but there is nothing in it including the openssl config file that I need to update. From the command prompt I see that ssl is working. So where is it getting it's config? Can I inject that config setting into the server settings?

blankip
  • 129
  • 7

1 Answers1

1

There is so much to unravel in this question ...

I cannot turn off TLS 1.0/1.1. Even though IISCrypto showing them off

Are you talking about Windows Server, IIS Webservices or a MySQL service? All of those can (read: must) be configured seperately and do not share a config "option" for TLS versions.

normally for mysql on apache

MySQL on apache? The first one is a database server, the second one is a webserver, both can (must) be configures seperately.

MinProtocol = TLSv1.2

This line can go in many places:

  • Most linux distros do use a system_default section in their native OpenSSL config nowadays.
  • This line is also valid for a OpenSSL (linux) MySQL configuration (as long as it is compiled with OpenSSL 1.0.1 or higher).
  • Apache does also has a SSLProtocol directive.

From the question I understand you want to connect to a MySQL server on windows. If that is the case, edit your my.ini like this:

require_secure_transport=true
tls_version=TLSv1,TLSv1.1,TLSv1.2
ssl-ca=[...]/certs/nfa-ca-cert.pem
ssl-cert=[...]/certs/nfa-console-cert.pem
ssl-key=[...]/certs/nfa-console-key.pem

  If that's not the case, please define (exactly) what you are trying to do.

bjoster
  • 4,805
  • 5
  • 25
  • 33